Comments (3)
Did a bit more playing around and found that if you were to declare your key outside of the closure passed to HttpServer::new(/* ... */)
it works as expected. Maybe some issue with the lifetime of the key reference? Here is the code that I used to allow this to work:
// ...
let key = rand::thread_rng().gen::<[u8; 32]>();
HttpServer::new(move || {
App::new()
.wrap(IdentityService::new(
CookieIdentityPolicy::new(&key)
.name("test")
.max_age(60000)
.secure(false),
))
// register handlers ...
})
// ...
Edit
Was thinking about it, and it makes sense. The closure passed to HttpServer
to create the App is called by each worker, which Actix spins up 8 by default. So each worker would have a different key because the random function call happens within the closure. By moving it outside the closure and calling clone
you ensure each worker gets the exact same value for the key.
@robjtede I don't believe this is a bug, just the way Actix works.
from actix-extras.
Replaced actix_identity
by actix_session
. Now I'm able to login on /login
and see user1
at /cfg/index
and vice versa. Either something is wrong with actix_identity
(because when I see Anonymous
cookie doesn't go anywhere, it's still there), or I don't understand how it works.
I didn't mention it above but if you login using actix_identity
, you'll see Anonymous
user on /
after minute or so, even so cookie's age is set to be huge. It doesn't happen now with actix_session
. I send request to /
and still see user1
from actix-extras.
I believe it has something to do with how you are generating the key
for the CookieIdentityPolicy.
First thing I did was change the code to match what is in the actix-identity documentation which resolved the issue:
CookieIdentityPolicy::new(&[0; 32])
.name("test")
.max_age(60000)
.secure(false)
Second thing I did was try using a hard coded random key, which also resolved the issue:
CookieIdentityPolicy::new(
"SomE LoNg RanDOm K3y That Ha5 Lett3Rs AnD NUm83Rs".as_bytes()
)
.name("test")
.max_age(60000)
.secure(false)
NOTE: The second approach is how I've typically done this in the past, I'll have an environment variable set that I will load into the app and use:
CookieIdentityPolicy::new(
std::env::var("APP_KEY")
.expect("APP_KEY not set.")
.as_bytes()
)
.name("test")
.max_age(60000)
.secure(false)
If you want this to be generated randomly at runtime rather than being set as an environment variable, then you can check out this section of the Rust Cook Book on crating random keys from alphanumeric characters.
from actix-extras.
Related Issues (20)
- Secure field never set in removal cookie.
- Allow testing created `Cors` instance
- Ability to extract SessionKey HOT 13
- Actix session insert should check for string HOT 8
- `FromRequest` is not implemented for `BearerAuth`
- No 'Access-Control-Allow-Origin' header is present on the requested resource
- actix_web_httpauth How to set whitelist?
- actix-session decryption failed HOT 1
- The method behavior of allowed_methods in actix_cors feels abnormal. HOT 4
- Session: add cookie max age
- Session: allow usage of Opaque token instead of cookies HOT 1
- `BasicAuth` doesn't have constructor from `Basic`
- Session: Add option for redis/tokio-rustls-comp
- CORS allowed origin string is case sensitive HOT 1
- Document recommended CORS config in a server environment
- Cors::default() prevents even same-origin requests. HOT 10
- Session: Add support for Amazon DynamoDB as session storage backend HOT 2
- Settings: Builtin mapping from environment variables
- Settings: actix.mode has no actix behaviour associated
- Support for Digest auth method HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from actix-extras.